clickjacking:X-frame-options header missing 漏洞解决办法

07098 · 发表于 2015-12-1 08:40:49

Apache配置X-Frame-Options ,httpd.conf 添加Header always append X-Frame-Options SAMEORIGIN

2.在项目里添加过滤器；

/**
*  Software published by the Open Web Application Security Project (http://www.owasp.org)
*  This software is licensed under the new BSD license.
*
* @author    Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created February 6, 2009
*/

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickjackFilter implements Filter
{

private String mode = "DENY";

/**
   * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
   * decide to implement) not to display this content in a frame. For details, please
   * refer to http://blogs.msdn.com/sdl/archiv ... efense-in-ie8.aspx.
   */
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
      HttpServletResponse res = (HttpServletResponse)response;
      chain.doFilter(request, response);
      System.out.println("限制mode============"+mode);
      res.addHeader("X-FRAME-OPTIONS",mode );
}

public void destroy() {
}

public void init(FilterConfig filterConfig) {
      System.out.println("限制mode init============"+mode);
      String configMode = filterConfig.getInitParameter("mode");
      if ( configMode != null ) {
         mode = configMode;
      }
}

}

<filter>
      <filter-name>ClickjackFilterDeny</filter-name>
      <filter-class>cn.aresoft.web.servlet.ClickjackFilter</filter-class>
      <init-param>
         <param-name>mode</param-name>
         <param-value>SAMEORIGIN</param-value>
      </init-param>
</filter>

<filter>
      <filter-name>ClickjackFilterSameOrigin</filter-name>
      <filter-class>cn.aresoft.web.servlet.ClickjackFilter</filter-class>
      <init-param>
         <param-name>mode</param-name>
         <param-value>DENY</param-value>
      </init-param>
</filter>


<filter-mapping>
      <filter-name>ClickjackFilterDeny</filter-name>
      <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- use the SameOrigin version to allow your application to frame, but nobody else
<filter-mapping>
      <filter-name>ClickjackFilterSameOrigin</filter-name>
      <url-pattern>/*</url-pattern>
</filter-mapping>

账号		自动登录	找回密码
密码			立即注册

KMSpico10.2.0 免费激活Win10/Office2016（

zabbix3.4中文手册，官网完整COPY（2019042

zabbix3.4.1安装部署+微信推送信息+大屏显

VMware vcenter+vSphere 6.5 U2共享

winhex数据恢复教程（非常巨大，内容丰富）

CentOS6.5下redis-3.2.6的安装与配置

【跟谁学】韩宇极简英语课-技术人员不得不

[经验分享] clickjacking:X-frame-options header missing 漏洞解决办法

扫码加入运维网微信交流群